CVE-2026-46356 is a medium-severity security vulnerability in github.com/fleetdm/fleet/v4 (go), affecting versions < 4.80.1. It is fixed in 4.80.1.
Summary A vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Impact Fleet extracted client IP addresses from request headers (True-Client-IP, X-Real-IP, X-Forwarded-For) without validating that those headers originate from a trusted proxy. The extracted IP is used as the key for rate limiting and IP ban decisions. As a result, an attacker could rotate the value of these headers on each request, causing Fleet to treat each attempt as coming from a different client. This effectively bypasses per-IP rate limits on sensitive endpoints such as the login API, enabling unrestricted brute-force or credential stuffing attacks. This issue primarily affects Fleet instances that are directly exposed to the internet without a reverse proxy that overwrites forwarded-IP headers. Instances behind a properly configured proxy or WAF are less affected. Workarounds If an immediate upgrade is not possible, administrators should ensure Fleet is deployed behind a reverse proxy (e.g., nginx, Cloudflare, AWS ALB) that overwrites X-Forwarded-For with the true client IP, and apply rate limiting at the proxy or WAF layer. For more information If you have any questions or comments about this advisory: Email us at [email protected] Join #fleet in osquery Slack Credits We thank @fuzzztf for responsibly reporting this issue.
go
github.com/fleetdm/fleet/v4 (< 4.80.1)github.com/fleetdm/fleet/v4 → 4.80.1 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-46356 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-46356 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-46356 in your environment →Upgrade github.com/fleetdm/fleet/v4 to 4.80.1 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-46356 is a medium-severity security vulnerability in github.com/fleetdm/fleet/v4 (go), affecting versions < 4.80.1. It is fixed in 4.80.1.
github.com/fleetdm/fleet/v4 (go) versions < 4.80.1 is affected.
Yes. CVE-2026-46356 is fixed in 4.80.1. Upgrade to this version or later.
Whether CVE-2026-46356 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade github.com/fleetdm/fleet/v4 to 4.80.1 or later.